Why now? That is a question that Metropolitan Community Health Services, which operates as Agape Health Services (“Agape”) must be asking at this point in time. Agape is a federally qualified health center that just entered into a HIPAA related settlement with the Office for Civil Rights.
The reason for asking why now is that the breach that set off investigation leading to the fine was submitted on June 9, 2011.
Did any egregious circumstances exist? Was the fact pattern so far out in left field that a fine was inevitable? Based on the available information, no. The facts and issues are not overly different than what has been seen in other instances. That means it is not clear why a fine was issued.
With all of those questions, diving into the background may be helpful. First, it should be noted that Agape is a federally qualified health center (“FQHC”). What is an FQHC? As defined by the Health Resources and Services Administration (“HRSA”), the agency overseeing FQHCs, an FQHC is a community-based health care provider that receives funds from the HRSA Health Center Program to provide primary care services in underserved areas. An FQHC must also meet strict requirements around the fees that can be charged to patients. As should be clear from the description, FQHCs are not highly profitable healthcare organizations, but focus on populations in need.
Serving an at need patient population certainly does not excuse an FQHC from compliance obligations. However, it does show that resources, both time and monetary, may not be as readily available to devote to following many required steps. Again, that is not an excuse.
Looking at the facts, at least the bare minimum ones available in the settlement, Agape, as already noted, reported the breach on June 11, 2011. An email containing information about 1,263 patients being sent to an unknown email address was the breach reported. Without knowing more, the specific breach is nothing out of the ordinary and mostly suggests a need to recheck addresses before hitting send.
The results of the investigation did uncover compliance issues a bit worse than usual. The non-compliance included: (i) not having security policies, (ii) not having provided HIPAA training until June 2016, and (iii) failing to conduct a risk analysis. Unfortunately, the failure to conduct a risk analysis is almost always cited in a settlement. Even though that is the case, given the dated nature of the breach report, there were arguably not that many HIPAA settlements to be able to learn from at that point.
What did all of these issue net Agape? A $25,000 settlement with OCR.
The description of the facts and findings constitutes all of the information contained in the press release and the settlement. Almost complete non-compliance with security obligations is implied, but that may not be wholly unique. The description also does not suggest or hint that other data leakages were uncovered or that any adverse consequences resulted from the misdirected email. For a breach and the uncovered issues, it all sounds a bit plain vanilla.
Why a Settlement?
The timing of the settlement, the amount, and the type of entity involved do nothing to help explain why it occurred. The dollar amount involved can be explained by the size and nature of Agape. As an FQHC, it would most likely be strapped for cash and any significant penalty would run the risk of pushing it over the edge financially. Agape being an FQHC could be part of the reason for the settlement though. The settlement could be designed to reinforce the message that OCR will not exempt any type of entity from potential enforcement action. OCR will focus on the level of compliance and not be influenced by other factors. Pursuing that line of thinking is not entirely off base since government agencies, small practices, and other types of entities have all entered into settlements.
The biggest question mark though is the timing. The breach was reported in 2011. Why was a settlement obtained almost 9 years later? Also, how long did it take for an investigation to occur? Curiously, reference to the lack of training states that it took until 2016 for the first training to be conducted. Parsing that statement, it could imply that either OCR did not start digging into Agape’s operations until after 2016 or OCR was trying to provide technical guidance to Agape that was not being followed. However, even looking at that slightly odd statement still puts conduct almost 4 years old under the microscope.
Unless more information can be made available, the settlement with Agape only raises more questions than it answers. If anything, it seems to suggest that a breach no matter how old or small could result in OCR pursuing a settlement. That should leave organizations somewhat uncomfortable while also reinforcing the need to take compliance seriously.